Skip to main content
SmartRecruiters

Web SSO

  1. Last updated
  2. Save as PDF
Requires:
  • SmartRecruit
  • +
  • SmartConnect

 

Admins can quickly enable single sign-on (SSO) and allow your users to sign in with their existing login credentials.

If you are using Okta for SSO and provisioning SmartRecruiters user accounts, please follow the Okta SmartRecruiters Integration Guide instead.

Prerequisites

In order to perform a full Web SSO set up with SmartRecruiters:

  • You should have an Identity Provider (IdP) set up and running and you know how to add a new Service Provider (SP) to the configuration.
  • You have an Admin account within SmartRecruiters to access Web SSO configuration.
  • You have integrated your IdP with SmartRecruiters User API in order to sync user profile details, and most importantly the ssoIdentifier property, in ongoing basis. 

Web SSO Configuration

To fully enable the SSO capability for your users, you will need to configure the Web SSO information in SmartRecruiters end and in your IdP end.

Configuring in SmartRecruiters

  1. Navigate to Settings / Admin
  2. Select Web SSO under Configuration
     clipboard_e60b7a3d774eeebbbfb904be6d69c8fc9.png
  3. Click Edit Web SSO configuration and enable Web SSO 
    clipboard_e06cea011b2815c69ea05595a9c4ecf84.png
  4. Select the Signature Algorithm and Certificate.
     clipboard_ede76bf5269a56705bffd877a23f72d3b.png
  5. From your IdP metadata, copy your IdP URL and certificate onto your clipboard. 
    clipboard_e7cb0a4868e09e6298b0552f73adc14e6.png
  6. Paste the IdP URL and certificate respectively onto the bottom half of the SmartRecruiters Web SSO configuration page. 
    clipboard_e8fde86ce09d39571b7ab4eb8fbc58ec9.png
  7. Save the Web SSO configuration.

Adding new Service Provider in your IdP

There are numbers of different IdPs out in the market and each requires slightly different steps to add Service Provider into its configuration. The general workflow for these IdPs, however, should remain the same as they support the SAML 2.0 standard.

The example steps below are to serve as a general guide to help you to add a new Service Provider in your IdP:

  1. In your IdP, locate the function or module that manages service providers
  2. Add a new service provide from SAML 2.0 XML metadata 
    clipboard_eccc4962d35c2e23aea8f38bfa7fdfb72.png
  3. In the Web SSO configuration page in SmartRecruiters, click Download SmartRecruiters metadata
    clipboard_e29c966098e9c7975760d61e9733485d9.png
  4. Copy the metadata onto your clipboard
     clipboard_e88edaf97b094961113125e3417644a85.pngclipboard_eb0afa69b25a231498e6b7f51255c9d54.png
  5. Paste and import the metadata in your IdP configuration 
    clipboard_e581ec854f63c1b87ddcc6ab6d533ae5b.png
  6. Add SmartRecruiters onto the service provider name field and save the configuration. 
    clipboard_ec2125de8556eec3d5bc413d41bd182e5.png

Please note that you must perform the User Provisioning step below - to configure your users' SSO Identifiers using SmartRecruiters User API before your user can sign into SmartRecruiters via SSO.

SmartRecruiters does NOT automatically assume any value, such as the user's email address, as the SSO Identifier. 

User Provisioning

Before your users can initiated the SSO log in, be sure to associate your users with SSO Identifier. You can do that by creating or updating users using the SmartRecruiters User API. You will need an active API credential to access the User API. See the Credential Manager guide for more detail.

  1. You can create a new user by making a POST call to the /users endpoint. Be sure to specify the SSO Identifier in the ssoIdentifer property in the call
  2. Alternatively, if the user has been created in SmartRecruiters but not though the API, you can make a PATCH call to the /users endpoint and update the user's ssoIdentifier property like in the following example:
{
    "op": "add",
    "path": "/ssoIdentifier",
    "value": "ssoIdentifierValue"
  }

After you completed the configuration in both SmartRecruiters and in your IdP and your users are associated with SSO Identifier, your user can initiate the SSO log in with the URL: 

https://www.smartrecruiters.com/web-sso/saml/<CompanyIdentifier>/login

Certificate Update

The SAML certificates which SmartRecruiters uses to enable the SSO functionality have expiration dates and will eventually expire. Prior to the date which the certificates are set to expire, SmartRecruiters will add in a new set of certificates.

To ensure your users can continue to access SmartRecruiters with their existing credentials, you will need to switch to the new certificate by selecting the new certificate on the SmartRecruiters Web SSO configuration page as well as updating the service provider configuration on your IdP end. The exact steps are the same as configuring the Web SSO for the first time.

The latest sets of SmartRecruiters SAML certificates are set to expire by the end of May, 2022.